Thursday, January 04, 2007

What you need to know about the UXSS in the Acrobat Plugin

"This find changed Web app expert Jeremiah Grossman's mind about the bug. Yesterday, Grossman, CTO of White Hat Security, had said the PDF XSS bug didn't really raise the XSS risk level overall. But in light of RSnake's finding, Grossman now considers this "really bad" and worries that it could be used as a payload for attacks much worse than XSS."

To clarify I was thinking the issue didn't raise the risk level of XSS since just about every website is vulnerable anyway.

Anyway, I’ve been reading the reports and the data conflicts all over place. InfoSec people are having the same problem. They’re unsure about what this is or what they need to do about it. I’ll try to boil this down to the relevant points and see if I can help out.

Here’s how the attack works:

Attacker locates a PDF file hosted on website.com

They create a specially crafted URL pointing to the PDF append with some JavaScript Malware in the fragment portion (Example: http://website.com/path/to/file.pdf#s=javascript:alert(”xss”);)

Attacker entices a victim to click on the link

If the victim has Adobe Acrobat Reader Plugin 7.0.x or less, confirmed in Firefox and Internet Explorer, the JavaScript Malware executes.

Everything XSS has shown to be capable of including Phishing w/ Superbait, Intranet Hacking, Web Worms, History Stealing, etc is now available to the attacker.

Things to keep in mind

The vulnerability is very pervasive as it lowers the hackabilty bar from the target website needing to have an XSS issue to simply hosting a PDF.

Normally XSS vulnerabilities are a problem in the server-side code, this one is on the client-side (web browser).

The fragment portion of the code, where they payload is stored, is NOT submitted to the web server. So the server can’t see it, and won’t be able to block it.

If they host pdfs on a site and don't wish to be used as a basis to launch an attack, they could configure rewrite rules so any URL to a pdf gets redirected to the same url with the parameters trimmed from the end.

Jeremiah, not just Firefox and Internet Explorer, but also Mozilla which I use (Mozilla 1.7.7) have this issue. So this hole is in IE6 (and IE5 also), Mozilla, FF1 and FF2 and Opera on Windows XP (and potentially other Windows non-XP platforms), just need Acrobat plugin installed in your browser.

And it is really danger and widespread vulnerability. The are up to 317 000 000 sites over the Web which have pdf files (as Google said). And every admin of every site need to deal with this Universal XSS in PDF.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!